The first personal computers (PCs) were largely stand-alone devices with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs.” In both cases, maintaining security and controlling what information a user of a personal computer could access was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, particularly the World Wide Web (“Web”) portion of the Internet, however, more and more personal computers are connected to larger networks. Providing access to vast stores of information, the Internet is typically accessed by users through Web “browsers” (e.g., Microsoft Internet Explorer® or Netscape Navigator® browser software) or other “Internet applications.” Browsers and other Internet applications include the ability to access an URL (Universal Resource Locator) or “Web” site. The explosive growth of the Internet had a dramatic effect on the LANs of many businesses and other organizations. More and more employees need direct access through their corporate LAN to the Internet in order to facilitate research, business transactions, consumer transactions, and communications between branch offices, and to send and receive e-mail messages, to name just a few common applications.
As a result, corporate IS (Information Systems) departments and connected device users now face unprecedented challenges. Specifically, such departments, which have until recently operated largely in a clearly defined, controlled, and “friendly” environment, are now confronted with a far more complicated and hostile connection situation. As more and more computers are connected to the Internet, either directly (e.g., over a dial-up connection with an Internet Service Provider or “ISP”) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously-closed computing environments are now opened to a worldwide network of computer systems. Specific challenges, for example, include the following: (1) attacks by perpetrators (hackers) capable of damaging the local computer systems, (2) unauthorized access to external data (e.g., pornographic and/or other unsuitable Web sites), (3) infiltration by viruses and/or “worms” and/or spyware and/or “Trojan Horse” programs as well as surreptitious installation of “spyware” applications and other types of malicious code that leak device, organizational, and personal information to unknown sources, (4) use of the local computer system for unauthorized personal activities (e.g., extensive Web browsing or game playing) with subsequent loss of productivity, and (5) hording available network bandwidth through use of bandwidth-intensive applications (e.g., real-time audio programs).
To mitigate system security issues, the software industry has introduced a myriad of products and technologies to address and minimize these events, including “firewalls,” proxy servers, and similar technologies—all designed to keep outside hackers from penetrating the corporate network. Corporate firewalls are applications that intercept the data traffic at the gateway to a wide area network (WAN) and try to check the data packets (i.e., Internet Protocol packets or “IP packets”) being exchanged for suspicious or unwanted activities. Initially, firewalls have been used primarily to keep intruders from the LAN by filtering data packets. More recently, the concept has been expanded to include “Stateful Inspection.” Here, a firewall not only looks at the IP packets but also inspects the data packets' transport protocol (e.g., transmission control protocol or “TCP”) header, and even the application level protocols, in an attempt to understand better the exact nature of the data exchange. These technologies are now beginning to appear on the end user devices as well.
Proxy server or Application Gateways, on the other hand, are LAN server-based applications that act on behalf of the client application. Accessing the Internet directly, the application first submits a request to the proxy server that inspects the request for unsafe or unwanted traffic. Only after this inspection will the proxy server consider forwarding the request to the destination on the Internet.
Both strategies are based on a centralized filter mechanism, with most of the filtering work being performed on a remote system or server (as opposed to the individual client PCs). Such an approach is problematic, however. Because of the centralized nature of firewalls and proxy servers, each approach extracts significant performance penalties. During operation of a typical system employing either approach, a single server might have to do the filtering work for hundreds or even thousands of PCs or workstations, creating a problem called “latency.” Latency represents a major bottleneck to overall system performance from the perspective of both the end user and the network systems designer. As emerging technologies on the Internet require still faster data delivery (e.g., real-time audio and video feeds) and use more complex protocols, this problem will likely be exacerbated. In the case of firewalls employing “Stateful Inspection” technology, performance problems are aggravated by the fact that the firewall software needs to duplicate much of the protocol implementation of the client application as well as the transport protocol (e.g., TCP and/or user datagram protocol or “UDP”) in order to understand the data flow.
As another problem, centralized filter architectures are missing vital information to correctly interpret the data packets because the underlying protocols were designed for effective data transfer and not for data monitoring and interception. For instance, monitoring based on an individual client application (or versions thereof) is not supported, all despite the fact that two identical data packets (or series of data packets) can have completely different meanings based on the underlying context, i.e., how the client application actually interprets the data packets. As a result, computer viruses and/or Trojan Horse applications can camouflage data transmissions as legitimate traffic.
The base of computer users has become increasingly mobile. This mobilility has created markets for devices that are sometimes part of the centralized computing architecture and at other times “outside” the organizational network and the domain of policies of the organizational network. This mobililty pits the extreme utility of such devices, and their relationship to productivity, against the need to manage access to services and transactions on the Internet.
There are still other disadvantages to centralized filtering. The approach is difficult to configure and administer. The task of setting up different rights for different users, workstations, and/or workgroups, for instance, is particularly difficult. No facilities are provided for delegating certain access and monitoring authority, for example, in order to allow a workgroup supervisor to manage less critical aspects of the Internet access for his or her group without going through a central authority. Also, a centralized filter cannot distinguish between “active” use of the Internet (i.e., when user interaction with the PC causes the Internet access) and “background” use (i.e., when an application accesses the Internet without user interaction). Still further, a centralized filter is easily circumvented, for example, by a user employing a modem for establishing a dial-up connection to an ISP (Internet Service Provider). Similarly, the proxy-server approach is unattractive. Special versions and/or specialized configurations of client applications are required, thus complicating system administration. Internet setup for portable computers employed at remote locations is especially complicated.
Providing a client-based filter (e.g., SurfWatch and CyberPatrol) for preventing users from accessing undesirable World Wide Web sites does not adequately overcome the disadvantages of centralized filtering. Designed largely as parental control tools for individual PCs, these programs are easily disabled by uninstalling (accidentally or intentionally) the filter. A Windows user can, for example, simply reinstall Windows, replacing certain driver files of the filter. This disables the filter and provides the user with unrestricted access to the Internet.
Current threat management technologies typically utilize a “one-off” functional approach, such as spyware, a firewall, anti-virus (AV) software, a spam filter, a universal resource locator (URL) filter, and the like. The technical limitations of such an approach are numerous and the challenges of threat mitigation can not meaningfully be met by such piecemeal approaches that are neither contentdriven nor specific. For example, an intrusion is seen by current threat management technologies as a firewall event, even though the intrusion might be connected to a Trojan Horse that is part of a virus and/or a worm and/or a spyware event. Similarly, an URL filtering product is aware of a “known bad website” where Trojan Horses and/or other damaging code are known to exist, but the URL filtering product has no way to communicate with the firewall product and/or the firewall product has no way to communicate with the URL filtering product. Likewise, a conventional Security Advisor (SA) becomes aware of, and publishes, specific content regarding a type of threat event, but this specific content is not connected to other functional conventional threat management technologies.
The nature of Internet threats is constantly changing. The authors of these threat are now combining threats into coordinated attacks. For example, an author might create and/or use an off-the-shelf virus, and combine that virus with a worm and/or a Trojan Horse, and then design those malicious software (malware) applications to send information to another Internet device and/or download spyware, keyloggers, Trojan Horses, rootkits, and/or other malicious software (malware) to the end-user device. Whole nefarious networks of infected devices now exist.
U.S. Pat. No. 5,987,611 to Freund, for example, discloses an administrator creating rules that are then sent to a desktop and/or a server. These rules are then used to configure the software firewall installed on the system. However, this configuration does not account for the case where the threat-driven content, such as an anti-virus (AV) signature file, directs the creation and/or distribution of a rule, since the administrator is necessarily involved in the creation and/or distribution of all the rules.